Extract Microsoft Sentinel MITRE information to CSV file – Part II

Introduction

In my last blog post (Extract Microsoft Sentinel MITRE information to CSV file – Yet Another Security Blog (garybushey.com)) I went over a PowerShell script that will extract the information from the MITRE ATT&CK page in Microsoft Sentinel. In this post I am expanding on that script with two new parameters

  • ShowZeroSimulatedRuleTemplates
  • ShowAllSimulatedRuleTemplates

This post will go over those new parameters and how I created them

ShowZeroSimulatedRuleTemplates

This parameter (set to false by default) will show those Microsoft Sentinel Analytic rule templates that can be used to provide coverage for any MITRE techniques that currently do not have any rules covering them.

You can think of this as selecting the “Analytics rule templates” in the MITRE page and noting which techniques when from zero to one. This information will then be exporting into a CSV file showing the Tactic name, Technique code, Technique name, and the Rule template name. If there are multiple rule templates that can be used, each one will have its own row.

To get this information, I took the object that contained all the counts (that we went over in the last post). I then iterate through it, looking for those entries that have the “Count” column set to zero. Then, I look for a match of the rule templates using the tactic and technique from that row.

The code is shown below

Function Export-ZeroCoveredSimulatedRuleTemplates ($authHeader, $subscriptionId, $resourceGroupName, $workspaceName, $filename, $tacticCountObject ) {
  $url = "https://management.azure.com/subscriptions/$($subscriptionId)/resourceGroups/$($resourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/$($workspaceName)/providers/Microsoft.SecurityInsights/alertruletemplates?api-version=2021-10-01-preview"
  $ruleTemplateResults = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).value
  foreach ($tacticRow in ($tacticCountObject | Where-Object { $_.count -eq 0 })) {
    foreach ($ruleTemplate in ($ruleTemplateResults | Where-Object { ($_.properties.techniques -eq $tacticRow.technique) -and ($_.properties.tactics -eq $tacticRow.tactic) }) ) {
      $newRow = $simulatedOutput.NewRow()
      $newRow.Tactic = $tacticRow.tactic
      $newRow.Technique = $tacticRow.technique
      $newRow.Name = $tacticRow.Name
      $newRow.RuleName = $ruleTemplate.properties.displayName

      [void]$simulatedOutput.Rows.Add( $newRow )
    }
  }
  $simulatedOutput |  Export-Csv -QuoteFields "RuleName" -Path $filename
}

ShowAllSimulatedRuleTemplates

This is similar to ShowZeroSimulatedRuleTemplates except that it will ALL the rule templates that can be used to provide coverage for any MITRE techniques, if that rule template has not been used already.

This only difference for this code is that, when we look for matching rule templates, we need to make sure that the rule has not been used before. To do this, we need to check that the “alertRulesCreatedByTemplateCount” in “properties” is equal to zero. We also do not need to filter any of the rows in the object that contains the counts.

The code is shown below

Function Export-AllCoveredSimulatedRuleTemplates ($authHeader, $subscriptionId, $resourceGroupName, $workspaceName, $filename, $tacticCountObject ) {
  $url = "https://management.azure.com/subscriptions/$($subscriptionId)/resourceGroups/$($resourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/$($workspaceName)/providers/Microsoft.SecurityInsights/alertruletemplates?api-version=2021-10-01-preview"
  $ruleTemplateResults = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).value
  foreach ($tacticRow in ($tacticCountObject )) {
    #We only want those rule templates that have not been used, hence the check against alertRulesCreatedByTemplateCount
    foreach ($ruleTemplate in ($ruleTemplateResults | Where-Object { ($_.properties.techniques -eq $tacticRow.technique) -and ($_.properties.tactics -eq $tacticRow.tactic) -and ($_.properties.alertRulesCreatedByTemplateCount -eq 0) }) ) {
      $newRow = $simulatedOutput.NewRow()
      $newRow.Tactic = $tacticRow.tactic
      $newRow.Technique = $tacticRow.technique
      $newRow.Name = $tacticRow.Name
      $newRow.RuleName = $ruleTemplate.properties.displayName

      [void]$simulatedOutput.Rows.Add( $newRow )
    }
  }
  $simulatedOutput |  Export-Csv -QuoteFields "RuleName" -Path $filename
}

Summary

Hopefully, the addition of these parameters and additional code will allow to get a better understanding of your MITRE coverage and be used in reports as needed.

Leave a Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.